CCNP Implementing Secured Converged Wide-Area Networks (ISCW 642-825) Lab Portfolio (Cisco Networking Academy)

David Kotfila, CCNP, CCAI, is the director of the Cisco Academy at Rensselaer Polytechnic Institute (RPI) in Troy, New York. Under his direction, 350 students have received their CCNA, 150 students have received their CCNP, and 8 students have obtained their CCIE. David is a consultant for Cisco, working as a member of the CCNP assessment group. His team at RPI has authored the four new CCNP lab books for the Academy program. David has served on the National Advisory Council for the Academy program for four years. Previously, he was the senior training manager at PSINet, a Tier 1 global ISP. When David is not staring at his beautiful wife, Kate, or talking with his two wonderful children, Chris and Charis, he likes to kayak, hike in the mountains, and lift weights.   Joshua Moorhouse, CCNP, recently graduated from Rensselaer Polytechnic Institute (RPI) with a B.S. in computer science, where he also worked as a teaching assistant in the Cisco Academy. He currently works as a network engineer at Factset Research Systems in Norwalk, Connecticut. Josh enjoys spending time with his wife Laura, his family, and friends.   Ross Wolfson, CCIE No. 16696, recently graduated from Rensselaer Polytechnic Institute (RPI) with a B.S. in computer science. He currently works as a network engineer at Factset Research Systems. Ross enjoys spending time with his friends, running, and biking.  

Introduction

Chapter 1 Remote Network Connectivity Requirements

Lab 1-1: Lab Configuration Guide

Chapter 2 Teleworker Connectivity

Scenario: Configuring the CPE as the PPPoE Client

Scenario: Configuring the CPE as the PPPoE Client over the ATM Interface

Chapter 3 IPsec VPNs

Lab 3-1: Configuring SDM on a Router (3.10.1)

    Scenario 7

    Step 1: Lab Preparation 7

    Step 2: Prepare the Router for SDM 7

    Step 3: Configure Addressing 8

    Step 4: Extract SDM on the Host 10

    Step 5: Install SDM on the PC 13

    Step 6: Run SDM from the PC 16

    Step 7: Install SDM to the Router 19

    Step 8: Run SDM from the Router 23

    Step 9: Monitor an Interface in SDM 24

Lab 3-2: Configuring a Basic GRE Tunnel (3.10.2) 26

    Scenario 26

    Step 1: Configure Loopbacks and Physical Interfaces 26

    Step 2: Configure EIGRP AS 1 27

    Step 3: Configure a GRE Tunnel 28

    Step 4: Routing EIGRP AS 2 over the Tunnel 30

Lab 3-3: Configuring Wireshark and SPAN (3.10.3) 33

    Scenario 33

    Step 1: Configure the Router 33

    Step 2: Install Wireshark and WinPcap 33

    Step 3: Configure SPAN on a Switch 39

    Step 4: Sniff Packets Using Wireshark 40

Lab 3-4: Configuring Site-to-Site IPsec VPNs with SDM (3.10.4) 43

    Scenario 43

    Step 1: Configure Addressing 43

    Step 2: Configure EIGRP 44

    Step 3: Connect to the Routers via SDM 45

    Step 4: Configure Site-to-Site IPsec VPN via SDM 45

    Step 5: Generate a Mirror Configuration for R3 53

    Step 6: Verify the VPN Configuration Using SDM 56

    Step 7: Verify the VPN Configuration Using the IOS CLI 59

    Challenge: Use Wireshark to Monitor Encryption of Traffic 65

    TCL Script Output 70

Lab 3-5: Configuring Site-to-Site IPsec VPNs with the IOS CLI (3.10.5) 74

    Scenario 74

    Step 1: Configure Addressing 74

    Step 2: Configure EIGRP 75

    Step 3: Create IKE Policies 76

    Step 4: Configure Preshared Keys 78

    Step 5: Configure the IPsec Transform Set and Lifetimes 78

    Step 6: Define Interesting Traffic 80

    Step 7: Create and Apply Crypto Maps 81

    Step 8: Verify IPsec Configuration 82

    Step 9: Verify IPsec Operation 83

    Step 10: Interpret IPsec Event Debugging 85

    Challenge: Use Wireshark to Monitor Encryption of Traffic 97

    TCL Script Output 103

Lab 3-6: Configuring a Secure GRE Tunnel with SDM (3.10.6) 106

    Scenario 106

    Step 1: Configure Addressing 106

    Step 2: Configure EIGRP AS 1 107

    Step 3: Connect to the Router Using SDM 108

    Step 4: Configure an IPsec VTI Using SDM 108

    Step 5: Generate a Mirror Configuration for R3 117

    Step 6: Verify Tunnel Configuration Through SDM 120

    Challenge: Use Wireshark to Monitor Encryption of Traffic 124

    TCL Script Output 128

Lab 3-7: Configuring a Secure GRE Tunnel with the IOS CLI (3.10.7) 133

    Scenario 133

    Step 1: Configure Addressing 133

    Step 2: Configure EIGRP AS 1 134

    Step 3: Configure the GRE Tunnel 134

    Step 4: Configure EIGRP AS 2 over the Tunnel 135

    Step 5: Create IKE Policies and Peers 136

    Step 6: Create IPsec Transform Sets 136

    Step 7: Define the Traffic to Be Encrypted 137

    Step 8: Create and Apply Crypto Maps 137

    Step 9: Verify Crypto Operation 138

    Challenge: Use Wireshark to Monitor Encryption of Traffic 139

Lab 3-8: Configuring IPsec VTIs (3.10.8) 144

    Scenario 144

    Step 1: Configure Addressing 144

    Step 2: Configure EIGRP AS 1 145

    Step 3: Configure Static Routing 145

    Step 4: Create IKE Policies and Peers 147

    Step 5: Create IPsec Transform Sets 148

    Step 6: Create an IPsec Profile 148

    Step 7: Create the IPsec VTI 149

    Step 8: Verify Proper EIGRP Behavior 151

Lab 3-9: Configuring Easy VPN with SDM (3.10.9) 154

    Scenario 154

    Step 1: Configure Addressing 154

    Step 2: Configure EIGRP AS 1 155

    Step 3: Configure a Static Default Route 156

    Step 4: Connect to HQ Through SDM 156

    Step 5: Configure Easy VPN Server Through SDM 156

    Step 6: Install the Cisco VPN Client 166

    Step 7: Test Access from Client Without VPN Connection 169

    Step 8: Connect to the VPN 169

    Step 9: Test Network Access with VPN Connectivity 175

    Step 10: Verify Easy VPN Functionality with SDM 176

    Step 11: Disconnect the VPN Client 178

Lab 3-10: Configuring Easy VPN with the IOS CLI 180

    Scenario 180

    Step 1: Configure Addressing 180

    Step 2: Configure EIGRP AS 1 181

    Step 3: Configure a Static Default Route 181

    Step 4: Enable AAA on HQ 182

    Step 5: Create the IP Pool 182

    Step 6: Configure the Group Authorization 182

    Step 7: Create an IKE Policy and Group 182

    Step 8: Configure the IPsec Transform Set 184

    Step 9: Create a Dynamic Crypto Map 184

    Step 10: Enable IKE DPD and User Authentication 184

    Step 11: Install the Cisco VPN Client 185

    Step 12: Test Access from Client Without VPN Connection 187

    Step 13: Connect to the VPN 188

    Step 14: Test Inside VPN Connectivity 193

    Step 15: Verify VPN Operation Using the CLI 194

    Step 16: Disconnect the VPN Client 195

Lab 3-11: IPsec Challenge Lab 196

Lab 3-12: IPsec Troubleshooting Lab 198

    Initial Configurations 199

Chapter 4 Frame Mode MPLS Implementation 205

Lab 4-1: Configuring Frame Mode MPLS (4.5.1) 205

    Scenario 205

    Step 1: Configure Addressing 206

    Step 2: Configure EIGRP AS 1 206

    Step 3: Observe CEF Operation 207

    Step 4: Enable MPLS on All Physical Interfaces 209

    Step 5: Verify MPLS Configuration 210

    Step 6: Change MPLS MTU 215

Lab 4-2: Challenge Lab: Implementing MPLS VPNs (4.5.2) 217

    Scenario 218

    Step 1: Configure Addressing 219

    Step 2: Configure Routing in the Service-Provider Domain 219

    Step 3: Configure MPLS in the SP Domain 220

    Step 4: Configure a VRF 221

    Step 5: Configure EIGRP AS 1 225

    Step 6: Configure BGP 227

    Step 7: Investigate Control Plane Operation 229

    Step 8: Investigate Forwarding Plane Operation 235

    Conclusion 238

Chapter 5 Cisco Device Hardening 241

Lab 5-1: Using SDM One-Step Lockdown (5.12.1) 241

    Scenario 241

    Step 1: Configure Addressing 241

    Step 2: Install Nmap on the Host 242

    Step 3: Run a Port Scan with Nmap 245

    Step 4: Prepare a Router for SDM 245

    Step 5: Use SDM One-Step Lockdown 246

    Step 6: Use Nmap to See Changes 249

    Conclusion 250

Lab 5-2: Securing a Router with Cisco AutoSecure (5.12.2) 251

    Scenario 251

    Step 1: Configure the Physical Interface 251

    Step 2: Configure AutoSecure 251

Lab 5-3: Disabling Unneeded Services (5.12.3) 259

    Scenario 259

    Step 1: Configure the Physical Interface 259

    Step 2: Ensure Services Are Disabled 259

    Step 3: Manage Router Access 260

    Step 4: Disable CDP 261

    Step 5: Disable Other Unused Services 261

    Step 6: Disabling Unneeded Interface Services 262

Lab 5-4: Enhancing Router Security (5.12.4) 263

    Scenario 263

    Step 1: Configure the Physical Interfaces 263

    Step 2: Telnet to R1 264

    Step 3: Configure Cisco IOS Login Enhancements 265

    Step 4: Enforce a Minimum Password Length 269

    Step 5: Modify Command Privilege Levels 270

    Step 6: Create a Banner 273

    Step 7: Enable SSH 273

    Step 8: Encrypt Passwords 275

Lab 5-5: Configuring Logging (5.12.5) 276

    Scenario 276

    Step 1: Configure the Interface 276

    Step 2: Install the Kiwi Syslog Daemon 276

    Step 3: Run the Kiwi Syslog Service Manager 277

    Step 4: Configure the Router for Logging 277

    Step 5: Verify Logging 279

    Step 6: Configure Buffered Logging 280

Lab 5-6a: Configuring AAA and TACACS+ (5.12.6a) 283

    Scenario 283

    Step 1: Configure the Interface 283

    Step 2: Install CiscoSecure ACS 283

    Step 3: Configure Users in CiscoSecure ACS 288

    Step 4: Configure AAA Services on R1 292

Lab 5-6b: Configuring AAA and RADIUS (5.12.6b) 294

    Scenario 294

    Step 1: Configure the Interface 294

    Step 2: Install CiscoSecure ACS 294

    Step 3: Configure Users in CiscoSecure ACS 299

    Step 4: Configure AAA Services on R1 303

Lab 5-6c: Configuring AAA Using Local Authentication (5.12.6c) 305

    Step 1: Configure the Interface 305

    Step 2: Configure the Local User Database 305

    Step 3: Implement AAA Services 305

Lab 5-7: Configuring Role-Based CLI Views (5.12.7) 307

    Scenario 307

    Step 1: Configure an Enable Secret Password 307

    Step 2: Enable AAA 307

    Step 3: Change to the Root View 308

    Step 4: Create Views 309

    Step 5: Create a Superview 312

Lab 5-8: Configuring NTP (5.12.8) 313

    Scenario 313

    Step 1: Configure the Physical Interfaces 313

    Step 2: Set Up the NTP Master 314

    Step 3: Configure an NTP Client 314

    Step 4: Configure NTP Peers with MD5 Authentication 315

Chapter 6 Cisco IOS Threat Defense Features 319

Lab 6-1: Configuring a Cisco IOS Firewall Using SDM (6.6.1) 319

    Scenario 319

    Step 1: Configure Loopbacks and Physical Interfaces 320

    Step 2: Configure Routing Protocols 320

    Step 3: Configure Static Routes to Reach the Internet 321

    Step 4: Connect to FW Using SDM 322

    Step 5: Use the SDM Advanced Firewall Wizard 323

    Step 6: Modify the Firewall Configuration 331

    Step 7: Monitor Firewall Activity 334

    Conclusion 337

Lab 6-2: Configuring CBAC (6.6.2) 338

    Scenario 338

    Step 1: Configure the Physical Interfaces 338

    Step 2: Configure Static Default Routes 339

    Step 3: Enable Telnet Access 339

    Step 4: Create IP Inspect Rules 339

    Step 5: Block Unwanted Outside Traffic 341

    Step 6: Verify CBAC Operation 341

Lab 6-3: Configuring IPS with SDM (6.6.3) 344

    Scenario 344

    Step 1: Configure the Physical Interfaces 344

    Step 2: Configure Static Default Routes 345

    Step 3: Enable Telnet Access 345

    Step 4: Connect to FW Using SDM 345

    Step 5: Use the SDM IPS Rule Wizard 346

    Step 6: Verify and Modify IPS Behavior 353

    Challenge: Add a Signature 358

Lab 6-4: Configuring IPS with CLI (6.6.4) 364

    Scenario 364

    Step 1: Configure Addressing 364

    Step 2: Configure Static Default Routes 365

    Step 3: Create and Apply an IPS Rule 365

    Step 4: Modify Default IPS Behavior 366

Chapter 7 Case Studies 371

Case Study 1: CLI IPsec and Frame-Mode MPLS 371

    Questions 372

Case Study 2: Device Hardening and VPNs 373

 

158713215x    TOC    2/28/2008